Active Directory and LDAP Authentication

Graylog supports Active Directory and LDAP synchronization for user management from your organizational identity source. For Graylog Enterprise users, this integration includes the ability to synchronize your identity source groups to Graylog teams.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

You must be a Graylog administrator to enable Active Directory or LDAP authentication.
You must have Active Directory or LDAP credentials. Obtain these credentials from your identity provider.

Set Up Synchonization

Active Directory and LDAP are related but different systems from Microsoft. Therefore, many of the setup steps in Graylog are the same, including the user credentials you need to enter. The setup procedure for both services follows these basic steps:

Server configuration
User synchronization
Group synchronization (Enterprise only)

Each section is described in detail below.

Server Configuration

In this section, you choose whether to set up Active Directory or LDAP. However, the steps are the same with either option.

Navigate to System > Authentication.
Select Create service, then select Active Directory or LDAP from the drop-down menu.

On the Server Configuration page, fill in the following fields:

Title	Enter a name for the identity provider.
Description (optional)	Add a meaningful description.
Server Address	Enter the server address to connect to identity provider, including the port. You can enter this value as an IP address or a fully qualified domain name (FQDN). Graylog must be able to resolve the address and reach the server from all Graylog servers.
Security options	Select security options for communication between Graylog and the identity provider. Choose an encryption method: None: No encryption is used. TLS: Communication is secured by TLS. StartTLS: Uses a secure connection if available but allows for an insecure connection. Verify Certificates: Select this check box to ensure certificates are validated upon connection.
System User DN	Enter the username for initial connection. Follow the on-screen text for how to format the information.
System Password	Enter the password for the initial connection.

Hint: You need to provide valid user credentials and connection information from you identity provider. Check Microsoft documentation for details.

Click Test Server Connection to verify that Graylog can connect to the provider with the given credentials. You must establish a valid connection to synchronize users and other information. Resolve any connection problems before proceeding.
Click Next: User Synchronization.

User Synchronization

The user synchronization section is where you identify which identity source users you want to import into Graylog. You also configure details such as how the information maps to Graylog.

Note that in this section, the required information is different between Active Directory and LDAP. Choose the set of steps that is correct for the service you are setting up.

Active Directory User Synchronization

On the User Synchronization page, fill in the following fields:

Search Base DN	The base tree to limit the Active Directory search query to. For example, `cn=user,dc=example,dc=com`. This value works in combination with the Search Pattern to determine where in Active Directory to find relevant user information.
Search Pattern	The search pattern used to find users in Active Directory for mapping to Graylog teams. Use the suggested default unless customization in your environment is necessary.
Name Attribute	The Active Directory attribute to use for the full name of the user in Graylog, for example, `userPrincipleName`.
Full Name Attribute	The Active Directory attribute to use for the full name of a synchronized Graylog user, e.g. `displayName`.
Default Roles	The default Graylog roles to assign to the synchronized user. All users need the Reader role to use the Graylog web interface. Hint: You can assign additional roles or team membership to users after their initial log on if group sync is enabled.

In most cases, the suggested values for fields are correct. If you need to update for customization in your environment, check the Microsoft documentation.

Perform the User Login Test. Enter a valid username and password for an Active Directory user that you want to connect to Graylog, then click Test User Login to verify your user synchronization settings. Resolve any connection issues before proceeding.
If you intend to set up group synchronization, click Next: Group Synchronization.

Otherwise, click Finish & Save Identity Service to complete Active Directory setup.

LDAP User Synchronization

On the User Synchronization page, fill in the following fields:

Search Base DN	The base tree to limit the Active Directory search query to. For example, `cn=users,dc=example,dc=com`. This value works in combination with the Search Pattern to determine where in Active Directory to find relevant user information.
Search Pattern	The search pattern used to find users in LDAP for mapping to Graylog teams. Use the suggested default unless customization in your environment is necessary.
Name Attribute	The LDAP attribute to use for the username of the user in Graylog, for example, `uid`.
Email Attributes	The LDAP attribute to use for the user's email address, for example, `mail`. To specify multiple attributes, enter Tab or Enter after your previous value.
Full Name Attribute	The LDAP attribute to use for the full name of a synchronized Graylog user, for example, `cn`.
ID Attributes	The LDAP attribute to use for the ID of a synchronized Graylog user, for example, `entryUUID`.
Default Roles	The default Graylog roles to assign to the synchronized user. All users need the Reader role to use the Graylog web interface. Hint: You can assign additional roles or team membership to users after their initial log on if group sync is enabled.

In most cases, the suggested values for fields are correct. If you need to update for customization in your environment, check the Microsoft documentation.

Perform the User Login Test. Enter a valid username and password for an LDAP user that you want to connect to Graylog, then click Test User Login to verify your user synchronization settings. Resolve any connection issues before proceeding.
If you are setting up group synchronization, click Next: Group Synchronization.

Otherwise, click Finish & Save Identity Service to complete LDAP setup.

Group Synchronization

This is a Graylog Enterprise feature. A valid Graylog Enterprise license is required.

Group synchronization allows you to use existing groups from your identity provider to create teams in Graylog.

Note that in this section, the required information is different between Active Directory and LDAP. Choose the correct steps for the service you are setting up.

Active Directory Group Synchronization

On the User Synchronization page, select the Enable Group Synchronization check box. Enabling this option allows you to enter the required information below.

Fill in the following fields:

Group Search Base DN	The base tree to limit the Active Directory group search query to, for example, `ou=people,dc=example,dc=com`.
Group Search Pattern	The search pattern used to find groups in Active Directory for mapping to Graylog teams, for example, `(objectClass=group)`.
Team Name Attribute	The Active Directory attribute to use for the full name of the team in Graylog, for example, `cn`.
Default Team Roles (optional)	The default Graylog roles to assign to the synchronized team. All users in a team inherit these roles.

- Click Load matching groups to see what Active Directory groups will be imported given the current settings. Note that you must have valid connection information on the Server Configuration page in addition to the configuration on this page for this check to be successful. Resolve any errors before proceeding.
- Select which groups to import from the list returned by the previous check. Use the Select type filter as follows:
  - Include all: All matching groups are synchronized.
  - Include selected: Only the groups you select in the list are synchronized.
  - Exclude selected: The groups you select in the list are excluded and all other groups are synchronized.
- Click Finish & Save Service.

LDAP Group Synchronization

On the User Synchronization page, select the Enable Group Synchronization check box. Enabling this option allows you to enter the required information below.